Network authentication system with dynamic key generation

ABSTRACT

A network authentication system with dynamic key generation that facilitates the establishment of both endpoint identity, as well as a secure communication channel using a dynamically-generated key between two end devices (potentially on separate local area networks). An interactive or non-interactive authentication protocol is used to establish the identity of the target end device, and dynamic key generation is used to establish a shared symmetric session key for creating an encrypted communication channel between the end devices.

CROSS REFERENCE TO BELATED APPLICATIONS

This application claims the benefit of the priority of and incorporates by reference provisional U.S. patent application Ser. No. 62/001,979 filed May 22, 2014.

FIELD OF THE INVENTION

This disclosure relates generally to network authentication, and in particular but not exclusively, to authentication to protect against tampering and subversion by substitution.

BACKGROUND OF THE INVENTION

An essential aspect of online communication is the ability of two endpoints to establish an authenticated channel based on their respective identities. One solution to this employs public key infrastructure (PKI), wherein public keys allow end devices to be reasonably convinced that they are communicating only with each other. In this scheme, however, an endpoint and its identity are generally independent, i.e., an arbitrary identity is generated and assigned to an endpoint.

In various device authentication schemes, physical unclonable functions (PUFs) have been used such that each device has a unique identity intrinsically linked to the device. Rührmair et al. (“Modeling Attacks on Physical Unclonable Function.” Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 237-249, ACM. 2010) define three distinct classes of PUF devices:

-   -   A Weak PUF is typically used only to derive a secret key. The         challenge space may be limited, and the response space is         assumed to never be revealed. Typical constructions include the         SRAM (Holcomb et al., “Initial SRAM State as a Fingerprint and         Source of True Random Numbers for RFID Tags,” In Proceedings of         the Conference on RFID Security, 2007), Butterfly (Kumar et al.,         “Extended abstract: Butterfly PUF Protecting IP on Every FPGA,”         IEEE International Workshop on Hardware-Oriented Security and         Trust, pages 67-70, 2008), Arbiter (Lee et al., “A technique to         build a secret key in integrated circuits for identification and         authentication applications,” IEEE Symposium on VLSI Circuits:         Digest of Technical Papers, pages 176-179, 2004), Ring         Oscillator (Suh et al., “Physical Unclonable Functions for         Device Authentication and Secret Key Generation,” Proceedings of         the 44th, annual Design Automation Conference, DAC '07, pages         9-14, ACM, 2007), and Coating (Tuyls et al., “Read-Proof         Hardware from Protective Coatings,” Proceedings of the 8th         international conference on Cryptographic Hardware and Embedded         Systems, CHES'06, pages 369-383, Springer, 2006) PUFs.     -   A Strong PUF is assumed to be (i) physically impossible to         clone, (ii) impossible to collect a complete set of challenge         response pairs in a reasonable time (typically taken to be on         the order of weeks), and (iii) difficult to predict the response         to a random challenge. For example, the super-high information         content (SHIC) PUF described by Rührmair (“Applications of         High-Capacity Crossbar Memories in Cryptography,”IEEE Trans.         Nanotechnol., volume 10, no. 3:489-498, 2011) may be considered         a Strong PUF.     -   A Controlled PUF satisfies all of the criteria for strong PUFs,         and additionally implements an auxiliary control unit capable of         computing more advanced functionalities to cryptographically         augment protocols.

PUF output is noisy in that it varies slightly despite evaluating the same input. This is generally addressed with fuzzy extraction, a method developed to eliminate noise in biometric measurements. (See Juels et al., “A Fuzzy Commitment Scheme,” Proceedings of the 6th ACM conference on Computer and Communications Security, CCS '99, pages 28-36, ACM, 1999). Fuzzy extraction may in part be employed within a device having a PUF such as within an auxiliary control unit, such that the output is constant for a fixed input. Fuzzy extraction (or reverse fuzzy extraction) may for example employ a “secure sketch,” as described by Juels et al. to store a sensitive value V to be reconstructed and a helper string P for recovering V. A secure sketch SS for input string O, where ECC is a binary (n, k, 2t+1) error correcting code of length n capable of correcting t errors and V←{0, 1}^(k) is a k-bit value, may for example be defined as SS(O;V)=O⊕ECC(V). The original value V then may be reproduced given the helper string P and an input O′ within a maximum Hamming distance t of O using a decoding scheme D for the error-correcting code ECC and O′, as D(P⊕O′)=D(O⊕ECC(V)⊕O′)=V.

A physical unclonable function P_(d):{0,1}^(κ) ¹ →{0,1}^(κ) ² bound to a device d preferably exhibits the following properties:

-   -   1. Unclonability: Pr[dist(y,x)≤t|x←U_(κ) ₁ ,y←P(x), z←P′]≤ϵ₁,         the probability of duplicating PUF P with a clone PUF P′ such         that their output distributions are t-statistically close is         less than some sufficiently small ϵ₁.     -   2. Unpredictability: It is desirable that an adversary cannot         predict a device's PUF response r for a challenge c with more         than negligible probability (at least without physical access to         the device), and that helper data does not reveal anything to an         adversary about PUF responses. Assuming that all entities are         bound to probabilistic polynomial-time (PPT), i.e., can only         efficiently perform computation requiring polynomially many         operations with respect to a global security parameter λ (which         refers to the number of bits in the relevant parameter). Adv         ^(PUF-PRED)(κ₂)=Pr[r=r′], denoting the probability of the         adversary         guessing the correct response r of the PUF P to the challenge c,         is preferably negligible in κ₂. This can be assessed, for         example, through a game between an adversary         and a PUF device P:{0,1}^(κ) ¹         {0,1}^(κ) ² mapping input strings from the challenge space         _(P) of length κ₁ to the response space         _(P) of length κ₂ where λ is the security parameter for the         protocol, given in unary as 1^(λ).

PUF-PRED: PUF Prediction Game Adversary A PUF Device P (1) c_(i) ∈ C _(P) ⊂ C_(P), → 0 ≤ i ≤ poly(λ) ← r_(i) = P(c_(i)) ∈ R _(P) (2) R _(P) ⊂ R_(P), 0 ≤ i ≤ poly(λ) (3) Challenge c ∉ C _(P) → (4) c_(i)′ ∈ C _(P)′ ⊂ C_(P), → c ∉ C _(P)′, 0 ≤ i ≤ poly(λ) ← r_(i)′= P(c_(i)′) ∈ R _(P)′ (5) R _(P)′ ⊂ R_(P), 0 ≤ i ≤ poly(λ) (6) Guess r′ 

 P(c) →

The game proceeds as follows:

1. The adversary

issues polynomially many (w.r.t. the security parameter λ) challenges c_(i)∈

_(P) to the PUF device P, where the challenge set

_(P) is a proper subset of the entire challenge space

_(P).

-   -   2. The PUF device P returns the responses {r_(i)|r_(i)←P(c_(i))}         to         .     -   3. The adversary         eventually outputs a challenge c that was not in the original         set of challenge queries         _(P). The adversary is not allowed to query the PUF device P on         the committed challenge c.     -   4. The adversary         may once again issue a new set of polynomially many challenges         c_(i)′∈         _(P)′ to the PUF device P. The adversary is not allowed to query         the PUF device P on the committed challenge c.     -   5. The PUF device P returns the responses         {r_(i)′|r_(i)′←P(c_(i)′)} to         .     -   6. The adversary         eventually outputs a guess r′ for P's response to the committed         challenge c.

The adversary only wins the game when guess r′ is equal to P's actual response r←P(c) to

's committed challenge c. (As noted, the PUF's output is noisy and will vary slightly on any fixed input, so the equality is typically taken with respect to the output of a fuzzy extractor (e.g., Dodis et al., “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” SIAM J. Comput., volume 38, no. 1:97-139, 2008)).

-   -   3. Robustness: Pr[dist(y,z)>t|x←U_(κ) ₁ ,y←P(x), z←P(x)]≤ϵ₂,         i.e., the probability of a fixed PUF P yielding responses         t-distant on the same input x is less than some sufficiently         small ϵ₂.     -   4. Indistinguishability: The output of the PUF device (typically         fuzzy extractor output) preferably is computationally         indistinguishable from a random string of the same length l,         such that a PPT adversary         's advantage Adv         ^(PUF-IND)(l) is at most negligibly more than ½. The         indistinguishability of a PUF can be assessed, for example,         through a game in which an adversary         is asked to differentiate between the output r of the fuzzy         extractor for a PUF P and a randomly chosen string s∈{0,1}^(l)         of the same length l.

PUF-IND: PUF Inistinguishability Game Adversary A PUF Device P (1) c_(i) ∈ CH ⊂ C_(P), → (R_(i), H_(i)) ← 0 ≤ i ≤ poly(λ) Gen(r_(i) = P(c)) ← H_(i) ∈ R _(P) ⊂ R_(P), (2) 0 ≤ i ≤ poly(λ) (3) c_(i) ∈ CH ⊂ C_(P), → 0 ≤ i ≤ poly(λ) ← R_(i) ∈ R _(P) ⊂ R_(P), (4) 0 ≤ i ≤ poly(λ) (5) Challenge c ∉ CH → b ∈ {0, 1} ← b(s ∈ {0, 1}^(l))+ (6) (1 − b)(R_(i)), R_(i) = Rep(P(c), H_(i)) (7) c_(i)′ ∈ CH ⊂ C_(P), → c ≠ c_(i)′, 0 ≤ i ≤ poly(λ) ← R_(i)′ ∈ R _(P) ⊂ R_(P), (8) 0 ≤ i ≤ poly(λ) (9) Guess b′ 

 b →

This game proceeds as follows:

-   -   1. Adversary         executes the enrollment phase on any challenge c_(i)∈         _(P).     -   2. The PUF device returns the corresponding helper string H_(i)         from the output of Gen. Denote this set of challenge-helper         pairs (c_(i), H_(i)) as         .     -   3. Adversary         now requests the PUF response r_(i)=P(c_(i)) for any c_(i)∈         . Denote the set of requested challenges in this step         .     -   4. For all requests c_(i)∈         , the PUF device returns the set {r_(i)|r_(i)←P(c_(i))}.     -   5. Adversary         selects a challenge c∉         , such that         has H_(i) but not R_(i) for c. The PUF device chooses a bit         b∈{0,1} uniformly at random.     -   6. If b=0,         is given R_(i)=Rep(P(c)=r_(i), H_(i)). Otherwise, if b=1 then         is given a random string s∈{0,1}^(l).     -   7. Adversary         is allowed to query the PUF device for c_(i)′∈         so long as no c_(i)′=c.     -   8. For all requests c_(i)′≠c, the PUF device returns the set         {r_(i)′|r_(i)′←P(c_(i)′)}.     -   9. The adversary outputs a guess bit b′, and succeeds when b′=b.         Related assessments of PUFs are provided by Hori et al.,         “Quantitative and Statistical Performance Evaluation of Arbiter         Physical Unclonable Functions on FPGAs,” 2010 International         Conference on Reconfigurable Computing and FPGAS (ReConFig),         pages 298-303, 2010; Maiti, A Systematic Approach to Design an         Efficient Physical Unclonable Function, dissertation, Virginia         Tech, 2012, and others.

Various authentication schemes utilize zero knowledge proofs of knowledge, which is a method for proving that a given statement is true, while revealing nothing beyond this fact. The zero knowledge proof is an interaction between two parties: a prover

that wishes to establish the validity of a statement, and a verifier

that must be convinced the statement is true. The verifier should be convinced with overwhelming probability that a true statement is indeed true. With a zero knowledge proof of knowledge, the verifier could not use the messages from a previous proof to convince a new party of the statement's validity, and the messages reveal only a single bit of information: whether or not the prover

possesses the secret. There are two general classes of zero knowledge proofs: interactive zero knowledge proofs, where a series of messages are exchanged between the prover

and verifier

, and non-interactive zero knowledge proofs, where the prover

conveys a single message

without interaction with

, yet

is convinced that

possesses the secret. Many (interactive) zero knowledge proof systems require multiple iterations to establish the validity of a statement. That is, each interaction may succeed with some probability, even if the prover does not possess the secret (or the statement is false). Thus, if the probability of success when the statement is false is p, the protocol is run n times until 1−(p)^(n) is sufficiently close to 1.

SUMMARY OF THE INVENTION

An authentication system according to an embodiment of the invention facilitates the establishment of both endpoint identity, as well as a secure communication channel using a dynamically-generated key between two end devices (potentially on separate local area networks). An interactive or non-interactive authentication protocol is used to establish the identity of the target end device, and dynamic key generation is used to establish a shared symmetric session key for creating an encrypted communication channel between the end devices. In one embodiment, the shared symmetric session key may then be updated as desired, and encrypted under a new dynamically-generated key.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 is a diagram illustrating dynamic key generation between devices in an embodiment of the present invention.

DETAILED DESCRIPTION OF EMBODIMENTS

The present detailed description is based on the example of an embodiment utilizing elliptic curve cryptography (including the associated terminology and conventions), but the inventive concept and teachings herein apply equally to various other cryptographic schemes such as ones employing different problems like discrete logarithm or factoring. Likewise, the invention is not limited by the various additional features described herein that may be employed with or by virtue of the invention.

In order to construct an intrinsic identity of a device, a public representation of the device's identity (referred to here as an enrollment token or public key) is generated. An elliptic curve mathematical framework may be used, but those skilled in the art will realize that other frameworks (e.g., discrete logarithm frameworks, in which regard U.S. Pat. No. 8,918,647 is incorporated here by reference) will provide the same functionality. A cryptographic enrollment token (or series of tokens) {(c_(d), P_(d), A_(d) mod p)} is collected from each PUF device d in response to a challenge query (or queries) by the server. Each device chooses a private key

_(d) ^(priv) uniformly at random from the space {0, 1}^(λ), where λ is the security parameter (e.g., the number of bits in the modulus p) and calculates A_(d)=

_(d) ^(priv)·G mod p as the device's public key, were G is a base point of order q on an elliptic curve over

. Preferably, no sensitive information is transmitted over the communication channel or stored in non-volatile memory (for example, the device may discard

_(d) ^(priv) after generating A_(d)). When

_(d) ^(priv) is needed to authenticate the device, the enrollment token (c_(d), P_(d), A_(d) mod p) allows the device d to regenerate

_(d) ^(priv) and complete the proof. Algorithm 1 describes an exemplary enrollment protocol in pseudocode.

Algorithm 1 Enrollment Algorithm for Server s do  Select finite field 

 _(p) of order p  Select E, an elliptic curve over 

 _(p)  Find G ∈ E/ 

 _(p), a base point of order q end for for Server s do  c_(d) ← random ∈ 

 _(p), a random group element  Device d ← {c_(d), E, G, p, q} end for for PUF Device d do  x = H(c_(d),E,G, p, q)  O = PUF(x)  helper_(d) = P_(d) = O ⊕ ECC(P^(priv))  token_(d) = A_(d) = P_(d) ^(priv) · G mod p  Server s ← {token_(d), helper_(d)} end for for Server s do  Store new enrollment entry {c_(d), (P_(d) ^(priv) · G mod p), P_(d)} end for (The enrollment process preferably should be required only once, and preferably should ensure that in the event of a security breach the device can remain active through a minor change on the server side without re-enrollment. As described in U.S. Pat. No. 8,918,647 which is incorporated herein by reference, a challenge-response tree can be constructed wherein only the root node is directly derived from a PUF response, with derived tokens being generated from those collected during enrollment.

A PUF-enabled device may locally store and retrieve a sensitive value preferably without storing any sensitive information in non-volatile memory. Algorithm 2 illustrates the storing of a sensitive value (e.g.,

_(d) ^(priv)) using a PUF, and Algorithm 3 illustrates the regeneration of the sensitive value. The challenge c_(d) and helper data helper_(d) for device d can be public, as neither reveals anything about the sensitive value. While the present example uses encryption of the sensitive value by exclusive-or, ⊕, alternately the value could for example be used to form a key to other encryption algorithms (e.g., AES) to enable storage and retrieval of arbitrary-sized values.

Algorithm 2 PUF-Store Goal: Store value P_(d) ^(priv) for PUF Device d do Select finite field  

 _(p) of order p Select E, an elliptic curve over 

Find G ∈ E/ 

 _(p), a base point of order q Select challenge c_(d) ∈ 

 _(p) x = H(c_(d), E, G, p, q) O = PUF(x) helper_(d) = P_(d) = O ⊕ ECC(P_(d) ^(priv)) Write {c_(d), helper_(d)} to non-volatile memory end for

Algorithm 3 PUF-Retrieve Goal: Retrieve value P_(d) ^(priv) for PUF Device d do  Read {c_(d), helper_(d)} from non-volatile memory  x ← H(c_(d), E, G, p, q)  O′ = PUF(x)  P_(d) ^(priv) ← D(helper_(d) ⊕ O′) end for Whenever O and O′ are t-close, the error correcting code ECC can be passed to a decoding algorithm D to recover the sensitive value.

The authentication phase allows a server to verify that a client device is authorized to issue a request. In an elliptic curve embodiment, upon receiving a request from a device, the server can conduct an elliptic curve variant of Chaum et al.'s (“An Improved Protocol for Demonstrating Possession of Discrete Logarithms and some Generalizations,” Proceedings of the 6th annual international conference on Theory and application of cryptographic techniques; EUROCRYPT'87, pages 127-141, Springer, 1988) zero knowledge proof protocol with the device d to establish permission to perform the request, as shown in Algorithm 4.

Algorithm 4 Authentication Algorithm for PUF Device d do  Server s ← request end for for Server s do  Device d ← {c_(d), G, P_(d), N, p, q} where N is a nonce and P is the helper string end for for PUF Device d do  x ← H( c_(d), E, G, p, q)  P_(d) ^(priv)← PUF-Retrieve  r ← random ϵ

_(p,) a random group element  B ← r · G mod p  h ←Hash(G, B, A, N)  m ← r + h · P_(d) ^(priv) mod p  Server s ← {B, m} end for for Server s do  h′ ← Hash(G, B, A_(d), N)  B′ ← m · G − h′ · A mod p $\left. {{Device}\mspace{14mu} d}\leftarrow\left\{ \begin{matrix} {{{accept}\text{:}\mspace{14mu} B^{\prime}} = {{B\bigwedge\tau}\mspace{14mu}{is}\mspace{14mu}{current}}} \\ {{{deny}\text{:}\mspace{14mu} B^{\prime}} \neq {{B\bigvee\tau}\mspace{14mu}{is}\mspace{14mu}{not}\mspace{14mu}{current}}} \end{matrix} \right. \right.$ end for The requirement for communication front the verifying end device in the interactive zero knowledge proof is to obtain a nonce value specific to the current proof. This prevents an eavesdropping adversary from using previous proofs from a valid device to successfully complete an authentication protocol and masquerade as the end device.

A non-interactive zero knowledge proof removes this communication requirement, and allows a proof to be completed without interacting with the verifying endpoint. A non-interactive construction of Algorithm 4 requires the device to generate the nonce on behalf of the verifier in a manner that prevents the proving end device from manipulating the proof. As one example, the proving end device may construct the nonce N as N←H(

_(d) ^(priv)·G mod p|τ) where H is a hash function, τ is a timestamp and x|y denotes concatenation of x and y. The timestamp ensures that previous proofs constructed by the proving end device cannot be replayed by an adversary in the future, while the hash function ensures that the proving end device cannot manipulate the challenge in an adversarial manner. The timestamp preferably need not match the current timestamp on arrival at the prover, with the verifying endpoint instead checking that the timestamp is reasonably current (e.g. second granularity) and monotonically increasing to prevent replay attacks. Algorithm 5 provides a non-interactive authentication protocol.

Algorithm 5 Non-Interactive Authentication Algorithm for PUF Device d do  x ← H{c_(d), E, G, p, q}  P_(d) ^(priv)← PUF-Retrieve  A_(d) = P_(d) ^(priv) · G mod p  r ← random ϵ

_(p,) a random group element  B ← r · G mod p  N ← Hash(A_(d)|τ) where τ is the current timestamp  h ← Hash(G, B, A_(d), N)  m ← r + h · P_(d) ^(priv) mod p  Server s ← {B, m, τ} end for for Server s do  A_(d) = P_(d) ^(priv) · G mod p (stored from device enrollment)  N ← Hash(A_(d)|τ)  h′ ← Hash(G, B, A_(d), N)  B′ ← m · G − h′ · A_(d) mod p $\left. {{Device}\mspace{14mu} d}\leftarrow\left\{ \begin{matrix} {{{accept}\text{:}\mspace{14mu} B^{\prime}} = {{B\bigwedge\tau}\mspace{14mu}{is}\mspace{14mu}{current}}} \\ {{{deny}\text{:}\mspace{14mu} B^{\prime}} \neq {{B\bigvee\tau}\mspace{14mu}{is}\mspace{14mu}{not}\mspace{14mu}{current}}} \end{matrix} \right. \right.$ end for Non-interactive authentication may be employed so as to provide first packet authentication in zero knowledge. For example, the first packet sent by the proving end device may contain the following authentication token, which is sufficient for the verifying end device to establish the identity of the proving end device: auth={B=r·G mod p, m=r+h·

_(d) ^(priv) mod p,τ}. The authentication is first packet in that no communication with the receiving (verifying) end device is necessary before constructing the authentication token. Further, verification of the sending (proving) end device completes without communication with the sending (proving) end device. An eavesdropping adversary observing packet auth will be unable to replay the packet, as the timestamp τ will no longer be current. Algorithm 6 illustrates device-to-device first packet mutual authentication.

Algorithm 6 Non-Interactive Mutual Authentication Algorithm for PUF Device d ϵ {0,1} do  x ← H( c_(d), E, G, p, q)  P_(d) ^(priv)← PUF-Retrieve  A_(d) = P_(d) ^(priv) · G mod p  r ← random ϵ

_(p,) a random group element  B_(d) ← r · G mod p  N_(d) ← Hash(A_(d)|τ_(d)) where τ_(d) is the current timestamp  h ← Hash(G, B, A_(d), N_(d))  m_(d) ← r + h · P_(d) ^(priv) mod p  Device (1 − d) ← {B_(d), m_(d), τ_(d)}  A⁽¹ ⁻ _(d)) ← QueryServer(DeviceID =(1 − d))  N⁽¹ ⁻ _(d)) ← Hash(A⁽¹ ⁻ _(d))|τ⁽¹ ⁻ _(d)))  h⁽¹ ⁻ _(d))′ ← Hash(G, B⁽¹ ⁻ _(d)), A⁽¹ ⁻ _(d)), N⁽¹ ⁻ _(d)))  B⁽¹ ⁻ _(d))′ ← m⁽¹ ⁻ _(d)) · G − h⁽¹ ⁻ _(d))′ · (A⁽¹ ⁻ _(d)) mod p $\left. {{Device}\mspace{14mu}\left( {1 - d} \right)}\leftarrow\left\{ \begin{matrix} {{{accept}\text{:}\mspace{25mu} B_{({1 - d})}^{\prime}} = {{B_{({1 - d})}\bigwedge\tau_{({1 - d})}}\mspace{14mu}{is}\mspace{14mu}{current}}} \\ {{{deny}\text{:}\mspace{25mu} B_{({1 - d})}^{\prime}} \neq {{B_{({1 - d})}\bigvee\tau_{({1 - d})}}\mspace{14mu}{is}\mspace{14mu}{not}\mspace{14mu}{current}}} \end{matrix} \right. \right.$ end for Two communicating devices can as desired (i.e., dynamically), (re)authenticate using Algorithm 6 and simultaneously establish a new session key by sending an auth-update message including the authentication token and a new session key. Referring to FIG. 1 for example, if device D1 wishes to prove identity on the first packet to device D5, and simultaneously establish a new session key with device D5, the auth-update packet is then {B_(D1)=r·G mod p, m_(D1)=r+h·

_(D1) ^(priv) mod p,τ_(D1), E_(A) _(D5) (session-key_((D1,D5)), SIG_(D1)(H(session-key_((D1,D5)))))}.

One embodiment of such a device may comprise a Xilinx Artix 7 field programmable gate array (FPGA) platform, equipped, e.g., with 215,000 logic cells, 13 Megabytes of block random access memory, and 700 digital signal processing (DSP) slices. In an embodiment employing elliptic curve cryptography, for example, the hardware mathematics engine may be instantiated in the on-board DSP slices, with the PUF construction positioned within the logic cells, and a logical processing core including an input and output to the PUF and constructed to control those and the device's external input and output and to perform algorithms (sending elliptic curve and other mathematical calculations to the math engine) such as those described above. Devices (e.g., D1-D8 in FIG. 1) thus constructed can then be connected (such as via a network) and perform non-interactive mutual authentication and dynamic key generation. Numerous other physical embodiments are readily apparent, such as using a coating PUF over a larger integrated circuit, etc.

In another embodiment, a new ‘public key’ of the target end device can be generated without requiring communication with the target end device to encrypt a new random session key, which will supersede the current session key. The new public key may be generated, as desired, using derived tokens as described in U.S. Pat. No. 8,918,647, which is incorporated by reference in that regard.

One skilled in the art will realize that other combinations and adaptations of the exemplary features and algorithms may be used in different applications, and the use of the device's hardware identity may be applied to a variety of cryptographic authentication techniques not limited by the zero knowledge aspect of the example provided. For example, a device wishing to communicate with a system may initially perform authentication such as according to Algorithm 5 to authenticate in the first packet to the system and the system may then perform the dynamic session key establishment protocol (through an auth-update message) with the device to initiate a secure communication channel. Further, the authentication protocol need not be limited to zero knowledge, and could be based on other cryptographic constructions for establishing identity. For example, a server may send a device a challenge message, which the device digitally signs using its hardware identity e.g., using the private key regenerated by the device's PUF and a standard signature algorithm) and includes this signature in the packet header (e.g., TCP Options Header) returned to the server. Upon receipt, the server verifies the digital signature over its challenge is valid using the device's public key.

As one embodiment of the invention relies on an elliptic curve mathematical framework, one skilled in the art will realize that it may be extended to support cryptographically-enforced role based access control (RBAC). That is, data access policies and device credentials may be specified mathematically, and the RBAC algorithm computes a function ƒ(

,

)

{0, 1} mapping policies

and credentials

to an access decision in {0,1}. This is typically accomplished by constructing a bilinear pairing (e.g. Well or Tate pairing). 

What is claimed is:
 1. A secure communication device comprising: a hardware identity module comprising a hardware-intrinsic identity unique to the device, wherein the hardware identity module is configured to output a unique value based on physical properties of circuitry of the hardware identity module and a challenge value associated with generation of an authentication token; and a processor connected to the hardware identity module, wherein the processor is configured to: receive an output value from the hardware identity module corresponding to the challenge value; generate, using the output value, a first authentication token encoded with a public key associated with the hardware-intrinsic identity of the secure communication device; generate a first authentication packet including the first authentication token; and transmit, to a verifying device, the first authentication packet for non-interactive authentication in zero knowledge, wherein the first authentication packet enables the verifying device to authenticate the secure communication device in zero knowledge by indicating, to the verifying device, that the secure communication device possesses a secret without revealing the secret to the verifying device.
 2. The secure communication device of claim 1, wherein the processor is further configured to: encrypt a session key using asymmetric encryption and a public key associated with the verifying device; and include the encrypted session key in the first authentication packet.
 3. The secure communication device of claim 1, wherein the processor is further configured to generate a nonce value for blinding the first authentication token.
 4. The secure communication device of claim 2, wherein the processor is further configured to include in the first authentication packet an encrypted signature of the secure communication device over the session key.
 5. The secure communication device of claim 1, wherein the processor is further configured to include, in the first authentication packet, a timestamp that indicates that the first authentication packet is current to an authentication session.
 6. The secure communication device of claim 1, wherein the hardware identity module comprises a physical unclonable function.
 7. The secure communication device of claim 6, wherein the processor is configured to send an authentication-update packet that includes an authentication token based on the hardware-intrinsic identity of the secure communication device and includes a session key.
 8. The secure communication device of claim 1, wherein the processor is configured to perform elliptic curve cryptography to generate the first authentication token.
 9. The secure communication device of claim 1, wherein the processor is further configured to send an authentication-update packet that includes an authentication token based on the hardware-intrinsic identity of the secure communication device and that includes an updated public key.
 10. The secure communication device of claim 1, wherein the first authentication packet indicates, to the verifying device, that the secure communication device possesses the secret and limits information disclosed to the verifying device to confirmation that the secure communication device is in possession of the secret.
 11. A computer-implemented method of non-interactively authenticating a secure communication device, the method comprising: receiving, by a processor, an output from a hardware identity module comprising a hardware-intrinsic identity unique to the secure communication device responsive to a challenge value associated with generation of an authentication token, wherein the output is based on physical properties of circuitry of the hardware identity module; generating, by the processor, using the output, a first authentication token encoded with a public key associated with the hardware-intrinsic identity of the secure communication device; generating, by the processor, a first authentication packet including the first authentication token; and transmitting, by the processor, the first authentication packet for non-interactive authentication in zero knowledge at a verification device, wherein the first authentication packet enables the verifying device to authenticate the secure communication device in zero knowledge by indicating, to the verification device, that the secure communication device possesses a secret without revealing the secret to the verification device.
 12. The method of claim 11 further comprising an act of encrypting a session key using asymmetric encryption and the public key of the verifying device; and including the encrypted session key in the first authentication packet.
 13. The method of claim 12, further comprising encrypting, in the first authentication packet, a signature of the secure communication device over the session key.
 14. The method of claim 11, further comprising generating a nonce value for blinding the authentication token.
 15. The method of claim 11, further comprising including, in the first authentication packet, a timestamp that indicates that the first authentication packet is current to an authentication session.
 16. The method of claim 11, wherein: the hardware identity module comprises a physical unclonable function (PUF), and the act of generating the first authentication token includes using a PUF output to encode a zero-knowledge proof token.
 17. The method of claim 11, further comprising: generating, by the processor, an authentication-update packet to include an authentication token based on the hardware-intrinsic identity of the secure communication device and to include a session key; and sending, by the processor, the authentication-update packet to the verifying device.
 18. The method of claim 11, further comprising: generating, by the processor, an authentication-update packet to include an authentication token based on the hardware-intrinsic identity of the secure communication device and to include an updated public key; and sending, by the processor, the authentication-update packet to the verifying device.
 19. The method of claim 11, wherein the first authentication packet indicates, to the verification device, that the secure communication device possesses the secret and limits information disclosed to the verification device to confirmation that the secure communication device is in possession of the secret.
 20. At least one non-transitory computer-readable storage medium containing processor-executable instructions that, when executed, perform a method comprising: receiving an output from a hardware identity module of a secure communication device comprising a hardware-intrinsic identity unique to the secure communication device responsive to a challenge value associated with generation of an authentication token, wherein the output is based on physical properties of circuitry of the hardware identity module; generating, using the output, a first authentication token encoded with a public key associated with the hardware-intrinsic identity of the secure communication device; generating a first authentication packet including the first authentication token; and transmitting the first authentication packet for non-interactive authentication in zero knowledge at a verification device, wherein the first authentication packet enables the verifying device to authenticate the secure communication device in zero knowledge by indicating, to the verification device, that the secure communication device possesses a secret without revealing the secret to the verifying device. 